Team

Target IP: 10.10.243.240


Scanning

6ea0662b055b3b71715e17298165e0be.png
9e0917019417e8fcd4b6defe22ea5499.png
There are three TCP ports open on the target machine: FTP, SSH, and HTTP. It looks like the FTP application does not allow anonymous login; therefore, I will start enumeration with the HTTP application on port 80.


Enumeration

Port 80: HTTP
7d91a9cfb6c55f07120961bd5d50fa13.png
Performing a curl request to the target machine informs me to add team.thm to the /etc/hosts file. I appended the host to the hosts file.

a3a82dbfadaff16cf4f4951870fb7b13.png
Browsing to http://team.thm displays the webpage above.

de3806e687ea1eb37452e418b13dc1d6.png
Running gobuster dir -u http://team.thm -w /usr/share/wordlists/dirb/big.txt -x php,html,txt displays the interesting result above. The robots.txt page contains one possible username: dale.

b0d3e543ccbf0049aec2f0f16aa83a9f.png
Browsing to /scripts/script.txt contains the content above. This script mentions there is another script that contains the credentials. I tried changing the extension of the script to other names like .sh, .py, etc.

58b922ed830d96f5fbe0b42fb2c29e1d.png
But when I changed the extension name to .old, I got a hit. I now have the credential ftpuser:T3@m$h@r3.

Port 21: FTP
bec8be259715669c712daef48388b50b.png
Using the credential from the old script file, I gained access to the FTP application. There are interesting content here.

1592bfe7f2852c9143593e4be02fd729.png
The workshare directory contains a text file called New_site.txt which contains the message above. There are two possible usernames: dale and gyles.

9303b314d3e40e4ad87a28ca8e1de7eb.png
I tried putting team.thm.dev inside /etc/hosts file but that did not work either. Then I performed subdomain fuzzing using the command ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.team.thm" -u http://team.thm -fs 11366 and obtained the result above. There is an interesting subdoman www.dev.

39cfd8e28747139e6948c4ff89b17201.png
I appended the hostnames above inside /etc/hosts file.

d538a43f0baab8e22ad569ba0ac9117a.png
And now http://www.dev.team.thm/ works and displays the webpage above. It looks like a dev site that is not fully built.

76de2c34aabb9e14e8f1693f42fd4079.png
There is an interesting parameter called page. Can I perform LFI?


Exploitation

834deeb0aa1bf700f3238a34d16a0ca5.png
I can perform LFI using the interesting parameter page. I obtained the /etc/passwd file and there are two usernames: dale and gyles. I tried to obtain the id_rsa file of both users but I had no luck.

cd9ed1227082cd5087baa8a6fe068236.png
After I performed LFI search with ffuf using the command ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://www.dev.team.thm/script.php?page=../../../../../../../FUZZ -fs 1, I notice an interesting payload etc/ssh/sshd_config which contains the SSH key of dale. Using curl, I obtained the SSH key and saved it on my local machine.

0be640839141da987cb57008234b56fc.png
And now I have a foothold on the machine using the SSH key.


Privilege Escalation

a29ed0d9fd9d80a8e99fddf31fa5368c.png
I transferred pspy64 to the target machine and received the output above. There are three main scripts

f8d5f78b0a2eaf48a094b86bbf912a54.png
The binary /home/gyles/admin_checks can be executed by gyles with sudo. By exploiting the input, I opened a shell as gyles.

ec226b70bfcb9dbe6d26f24634731c90.png
gyles is a member of the group admin meaning I can modify the script /usr/local/bin/main_backup.sh.

81738ddf1ac459cb247101a28ebe5c6c.png
And now I have a root shell. I injected the reverse shell script inside main_backup.sh and obtained a root shell on port 21 on my local machine.


Flags

aae10d16996cc853c5894635823e130d.png
The user.txt flag once I gained a foothold on the machine as dale using SSH.

7010ca01a64a3fdd14fb3bc175e63b96.png
The root.txt flag.